Re: Help: Cycle through iptables rules

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Le jeudi 27 mai 2010 à 17:29 -0300, Felipe W Damasio a écrit :
> Hi Mr. Engelhardt,
> 
> I created a script using the instructions you gave me.
> 
> The result was:
> 
> Chain PREROUTING (policy ACCEPT)
> target     prot opt source               destination
> extrachain  all  --  0.0.0.0/0            0.0.0.0/0           ctstate NEW
> TPROXY     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
> dpt:80 connmark match 0x0 TPROXY redirect 0.0.0.0:3127 mark 0x1/0x1
> TPROXY     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
> dpt:80 connmark match 0x1 TPROXY redirect 0.0.0.0:3128 mark 0x1/0x1
> TPROXY     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
> dpt:80 connmark match 0x2 TPROXY redirect 0.0.0.0:3129 mark 0x1/0x1
> 
> Chain extrachain (1 references)
> target     prot opt source               destination
> CONNMARK   all  --  0.0.0.0/0            0.0.0.0/0           statistic
> mode nth every 3 CONNMARK and 0x0
> CONNMARK   all  --  0.0.0.0/0            0.0.0.0/0           statistic
> mode nth every 3 packet 1 CONNMARK xset 0x1/0xffffffff
> CONNMARK   all  --  0.0.0.0/0            0.0.0.0/0           statistic
> mode nth every 3 packet 2 CONNMARK xset 0x2/0xffffffff
> 
>  This is for N=3 instances of squid.
> 
>  The TPROXY rules make sense to me (forwarding to a port based on the
> mark that was done in the extrachain). I just don't get the extrachain
> rules regarding that "--every 3" bit yet. :-)
> 
>  Are they right, though?

Its right only if you have a single NIC, and a single queue one.

Or else two SYN packets could flight in // in extrachain (using two
cpus), and the logic would be wrong.

I suggest using a first 'catch all' rule in extrachain, to make sure one
CONNMARK is done.

Or else, some connections would not go through any TPROXY rule.

Chain extrachain (1 references)
target     prot opt source               destination

CONNMARK   all  --  0.0.0.0/0            0.0.0.0/0           CONNMARK
xset 0x0/0xffffffff

CONNMARK   all  --  0.0.0.0/0            0.0.0.0/0           statistic
mode nth every 3 packet 1 CONNMARK xset 0x1/0xffffffff

CONNMARK   all  --  0.0.0.0/0            0.0.0.0/0           statistic
mode nth every 3 packet 2 CONNMARK xset 0x2/0xffffffff





--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux